A commenter over at the Small Wars Council thought my theory about the possible motive of the Iranian Metasploit hijinks would make for a good movie–but, I assume, not the most credible analysis. First, typing commands in to msfconsole is a little hard to dramatize on screen. About the closest we’ve come to making the command line sexy was having Trinity from The Matrix run an nmap scan and a fictitious SSH exploit, and Trinity did it wearing a leather outfit (see article and YouTube clip*). The real perpetrator may be doing it unshaven and in a bathrobe. At least, that’s how I do my best work. Secondly, I am, like, so totally serious about my theory of someone more interested in disrupting intelligence agencies than Iran’s nuclear program. Here’s why:

There are certainly credible reasons why a professional intelligence agency would bang away in Iranian networks with Metasploit. If the Iranians are shutting down key parts of their network (I don’t know how vital the automation bits mentioned in Mikko’s piece are) to do forensics to figure out how the attacker is getting in, maybe blasting “Thunderstruck” is the next best thing to some fancy exploit to ruin centrifuges. Or, perhaps, some group who wants to disrupt Iran’s nuclear program is flooding them with garbage attacks to overwhelm Iranians attempts to analyze their more ‘long-term,’ targeted malware. That analysis takes time and personnel who are in short supply even in the U.S. Think of it, to borrow a phrase from one of my brilliant friends, Federico Rosario, as “a DOS attack on skilled personnel.” Others have mentioned playing “Thunderstruck” as a kind of psychological warfare on trust in terms of Iranian infrastructure.

However, these types of attacks seem every bit as likely to disrupt professional intelligence agencies’ access as help them in some way. I also am unimpressed with the PSYOPS theory, because (1) this has already been accomplished via previous malware and (2) announcing one’s presence contradicts the IC’s modus operandi in terms of being able to discretely collect information and disrupt systems. That’s why I think there is another motive at work here. The reported worm and Metasploit hijinks may even be two separate actors.

—

* – Funny enough, that little 1:09 clip dramatizes pretty much every policy maker’s fear of an infrastructure attack on the US

“If by chance you were to ask me which ornaments I would desire above all others in my house, I would reply, without much pause for reflection, arms and books.”
—Fra Sabba da Castiglione, Knight of St. John